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Abstract 

Recently two encryption schemes were proposed by combining circular bit shift and 
XOR operations, under the control of a pseudorandom bit sequence (PRBS) gener- 
ated from a chaotic system. This paper studies the security of these two encryption 
schemes and reports the following findings: 1) there exist some security defects in 
both schemes; 2) the underlying chaotic PRBS can be reconstructed as an equiv- 
alent key by using only two chosen plaintexts; 3) most elements in the underlying 
chaotic PRBS can be obtained by a differential known-plaintext attack using only 
two known plaintexts. Experimental results are given to demonstrate the feasibility 
of the proposed attack. 
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1 Introduction 



In the past three decades, many digital chaotic ciphers [1-9] and analog chaos- 
based secure communication schemes [2,3,10-12] have been proposed, trying 
to explore the intrinsic relationship between chaos and cryptography. How- 
ever, due to the lack of a strict scrutiny on the security, most chaos-based 
cryptosystems have been found insecure against various attacks [6-9,12,13]. 

In [14], a new block encryption scheme was proposed by combining circular bit 
shift and XOR operations, under the control of a pseudorandom bit sequence 
(PRBS) generated from the chaotic logistic map. Later, in [15], the above 
encryption scheme was further modified 1 1, by adopting some alterations such 
as replacing the logistic map with a delayed chaotic neural network (DCNN). 

In [14, Sec. 6.2], it is pointed out that the encryption scheme based on the lo- 
gistic map is not secure enough against chosen-plaintext attack, because there 
exists some information leakage about the chaotic trajectory involved. Then, 
the authors of [14] suggested using key switching and/or "cycling chaos" [16] 
as remedies to further improve the security. However, as we show below in this 
paper, the information leakage is actually not the main reason why the en- 
cryption scheme is not secure against chosen-plaintext attack. We further show 
that both encryption schemes are not only insecure against chosen-plaintext 
attack, but also insecure against a differential known-plaintext attack. In ad- 
dition, we will point out some other security defects existing in the design of 
these two chaos-based encryption schemes. 

The rest of the paper is organized as follows. The next section gives a brief 
introduction to the two encryption schemes. Some security problems exist- 
ing in both of the two encryption schemes are reported in Sec. [3J The main 
cryptanalytic results about plaintext attacks are given in Sec. HI with some 
experimental results for demonstration. The last section concludes this paper. 



2 Two Chaotic Encryption Schemes 

To facilitate the following description of the two encryption schemes, the defi- 
nitions of circular bit shift operations and some notations are first introduced. 

Definition 1 Assuming that L £ Z + , x £ Z and a = Y,f=o ( a i ■ 2 4 ) £ 

1 Note that the authors of [15] did not make clear that their work is a modification of 
the one proposed in [14]. However, it is obvious that the DCNN-based scheme in [15] 
was originated from the work reported in [14] because the encryption procedures of 
the two schemes are exactly the same except for some minor modifications. 
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{0, • • • , 2 L — 1}, where a, G {0, 1} ; the L-bit left and right circular bit shift oper- 
ations are defined as follows: a <^C L x = a ^> L (—%) = Yli=o ( a « ' 2^ +xS> mod L ) 
and a ^$> L x = a <^: L (-x) = Ei=o (a< ■ 2 {i ~ x) mod L ) ■ 

From Definition [IJ one can easily verify some simple properties about the 
circular bit shift operations: 1) V x = (mod L), a x = a x = a; 

2) Vxi = x 2 (mod L), a <@C L x x = a <S^i L x 2 and a ^> L x x = a ^> L x 2 \ 

3) Vxi = x 2 (mod L), (a <^i L Xi) ^> L x 2 = (a ^> L Xi) <^ L x 2 = a. The 
proofs are simple, therefore omitted. These properties will be directly used 
hereinafter without further explanations. 

Both encryption schemes work with L-bit blocks (some zero bits are padded 
when the last plain-block contains less than L bits). In [14] L = 64 and in [15] 
L = 32, so the two encryption schemes are 64-bit and 32-bit block ciphers, 
respectively. Throughout the paper, we assume that the plaintext contains N 
blocks: {Pj}^=Qi and the corresponding ciphertext is {Cj}^ 1 . 



2.1 Encryption Scheme Based on the Logistic Map [14] 



In this scheme, the secret key is the initial condition x(0) and control parameter 
fi of the following chaotic logistic map: 

f(x) = nx(l -x). (1) 



The core of the encryption scheme is a PRBS, {Bi}J^ 1 , which is gener- 
ated from the chaotic logistic map. Two pseudorandom number sequences 
(PRNS), {Aj}fj l and {Dj}fj \ are further derived from the PRBS for the 
encrypt ion/ decrypt ion purpose. The whole procedure can be described in the 
following stepd_J. 

• Step 1 : Set j = 0, r = 3 and iterate the logistic map from x(0) for Nq = 250 
times. 

• Step 2: Iterate the logistic map for N\ = 70 times to get a sequence com- 
posing of 70 chaotic states. Then, extract the r-th bit from each chaotic 
state's binary representation to get 70 pseudorandom bits {Bi} 7 %~^j 9 . 

• Step 3: Set A 3 = £f =0 (B 70j+k ■ 2 63 ~ fc ) , D 3 = £f =64 (s 70j+fc • 2 69 " fc ) and 
j = .7 + 1. 

• Step 4' 1$ j < N — 1, iterate the logistic map for Dj times and then goto 
Step 2; otherwise, stop the process. 



To give a clearer and simpler description, we change some notations used in [14]. 
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After the two PRNS {Aj}j =0 and {Dj}j =0 have been determined, the en- 
cryption procedure can be described easily by the following equation: 

Cj = (Pj <^Q4 Dj) © Ay (2) 

Accordingly, the decryption procedure is as follows: 

Pj = (Cj © Aj) ^ 64 Dj. (3) 

2.2 Encryption Scheme Based on a Delayed Chaotic Neural Network [15] 



Compared with the scheme introduced in the last subsection, the DCNN-based 
one can be described as follows. 

(1) The chaotic system is replaced by a DCNN with n = 2 neurons, described 
by the following equation: 

l v tanh(x 2 (t)) J vtanh(x 2 (t - r(t)) J ' 1 ' 

where (xi(t), X2(t)) T e IR 2 is the state vector associated with the 2 neu- 
rons, r(t) is a time-delay function, C = diag(ci, c 2 ) is a diagonal matrix, 
A = [ajj]2x2, B = [6j,j]2x2 are the connection weight matrix and the 
delayed weight matrix, respectively. 

As the main cryptanalysis given in this paper does not depend on this 
chaotic neural network, more details about this n-dimensional chaotic 
system are referred to [15, Sec. 2]. Since the chaotic neural network is an 
analogue dynamical system, it has to be approximated by a discrete-time 
one by using a numerical algorithm with time step h. 

(2) The secret key was claimed to include the initial condition and control 
parameters of the DCNN, the value of h, the structure of the DCNN and 
the numerical algorithm that implements the DCNN. 

(3) One neuron of the DCNN is selected to generate a shorter PRBS, {Bi}^' 1 , 
for the encryption of each plain-block. The generation process of the 
PRBS is now changed as follows, where s is used to choose one neuron 
for encryption of the next plain-block. 

• Step 1 : Set j — 0, r = 4, s — 1, and iterate the DCNN from its initial 
condition for 7Vo = 1000 time steps. 

• Step 2: Iterate the DCNN for N\ = 38 time steps. For each state of 
the s-th neuron, scale it to be within the unit interval [0, 1] and then 
extract the r-th bit from the binary representation of the scaled state, 
so as to get 38 pseudorandom bits {-Bjlilisf • 

• Step 3: Set Aj = Zf =0 (B 38j+k ■ 2 31 ~ fc ), Dj = Ef =32 (#38*+* ■ 2 36 ^), 
s = .638.7+37 + 1 and j = j + 1. 
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• Step 4- If J < N — 1, iterate the DCNN for Dj time steps and then 
goto Step 2; otherwise, stop the process. 
(4) An extra bit shift operation is introduced on Aj. By doing that, the 
encryption procedure becomes 

Cj = (Pj «<32 Dj) © (Aj >» 32 Dj). (5) 

Similarly, the decryption procedure is changed to 

Pj = (Cj © (Aj » 32 Dj)) » 32 Dj. (6) 



3 Some Security Problems 

3.1 Insufficient Randomness of Chaos-Based PRBS {E>i} 

In both encryption schemes, it is expected that the PRBS is random enough 
to ensure a high level of security. However, as shown below, neither the chaotic 
trajectories of the logistic map nor those of the DCNN have a uniform distri- 
bution, which leads to insufficient randomness of the PRBS generated from 
these chaotic trajectories. 

For the logistic map, distributions of a number of chaotic trajectories, gen- 
erated by iterating Eq. ([1]) for 10 5 times with random initial conditions and 
random control parameters, were studied. All the distributions are quite close 
to each other, so only one typical example is shown in Fig. [I] for illustra- 
tion. Apparently, the non-uniform distribution of the chaotic trajectory will 
inevitably degrade the randomness of the derived PRBS {B>i}. For verification, 
we employed the NIST statistical test suite [17] to test the randomness of 100 
binary sequences of length 256 g 256 • 70 = 573440 (the number of bits used for 
encryption of a 256 x 256 plain gray-scale image). Note that the 100 binary 
sequences were generated with randomly selected secret keys. For each test, 
the default significance level 0.01 was used. The results are shown in Table [H 
from which one can see that the PRBS {B{\ does not satisfy the requirements 
as a good random source. 

For the DCNN used in [15], the non-uniformity of the chaotic trajectory corre- 
sponding to each neuron is even worse. Observing Fig. 1 in [15], one can easily 
see that the trajectory seldom visits some regions of the phase space. We per- 
formed some experiments to further investigate this proble Figure [2] shows 

3 In the experiments, the involved delay differential equation (DDE) with a time- 
varying delay was numerically solved by the method proposed in [18] with the same 
default error tolerance. 
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Fig. 1. A typical distribution of some random chaotic trajectories of the logistic 
map with control parameter [i = 3.999. 

Table 1 

The performed tests and the number of sequences passing each test in a sample of 
100 sequences. 



Name of Test 


Number of Passed Sequences 


Frequency 





Block Frequency 


3 


Cumulative Sums 





Runs 





Rank 


82 


Discrete Fourier Transform 


32 


Non-overlapping Template Matching 





Serial 





Approximate Entropy 






the distributions of 622,600 chaotic states of the two neurons of the DCNN 
with the following configurations: the initial condition x(t < 0) = (0.4,0.6) T , 
r(t) = 1 + 0.1sin(t), and the three matrices in Eq. (j3J) were set as follows: 

/ 2 -0.l\ (-1.5 -0.l\ ( 1 (A 

A= ,B= ,C= . 

^-5 3 J \-0.2-2.5J \0l) 

The time step size h = 0.01 was used in the numerical solution to simulate 
the DCNN. 

The distributions shown in Fig. [2] imply that the randomness of the PRBS 
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Fig. 2. The empirical distributions of the two neurons' states of the DCNN Eq. ([4]). 

{Bi} is weaker than that derived from the logistic map. Moreover, there exists 
another more serious problem that dramatically influences the randomness of 
the PRBS derived from the DCNN. As can be seen, the DCNN is an analogue 
dynamical system with a continuous trajectory, which means that any two 
consecutive chaotic states simulated via a numerical algorithm are always 
closely correlated. As a result, the chaotic bits derived from consecutive chaotic 
states will also be closely correlated. Furthermore, the smaller the time step 
size h is, the stronger such a correlation will be. However, as mentioned in 
the last subsection, the time step size h should be small enough to achieve 
a good estimation of the true dynamics of the DCNN. That is, the close 
correlation between consecutive bits is an unavoidable defect of PRBS based 
on any analogue dynamical system like this DCNN. 

To evaluate the real randomness of the PRBS {-Bi} derived from the DCNN, 
we carried out the runs test [19, Sec. 5.4.4] on the first 20,000 bits of {Bi} 
corresponding to the trajectory shown in Fig. [21 where the definition of run of a 
binary sequence is given in [17, Sec. 2.3.1]: U A run of length k consists of exactly 
k identical bits and is bounded before and after with a bit of the opposite value" . 
The result is shown in Fig. [31 As a comparison, the mathematical expectations 
of the number of runs of various lengths in an ideal random binary sequence 
are also plotted. Observing Fig. [31 one can see that the randomness of the 
PRBS generated by the DCNN is obviously very weak. As a result of the 
poor randomness of {Bi}, it is expected that {Aj} and {Dj} are also far from 
being random, which can be clearly seen by looking at the numbers of different 
values in { [Aj/2 22 \ }™ and {^})L 3 83 , as shown in Fig. 1 

Due to the serious non-uniform distributions of {Aj} and {Dj} in the DCNN- 
based scheme, it is suspected that the encryption performance may not be 
satisfactory. For example, Fig. H] shows that the probability that Aj = Dj = 
is relatively high, which means that the encryption totally fails in this case. 
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Run length 



Fig. 3. The numbers of k-bit runs in one PRBS {Bi}j^Q 9 generated by the DCNN 
versus the expected numbers of a random bit sequence, where k = 1 ~ 250. 




b) 

Fig. 4. The numbers of different values of a) { [Aj/2 22 \ and b) {Dj}]^ 3 . 

Note that only the numbers of values existing in the sequences are plotted in the 
two sub-figures. 



For two typical images, "Lenna" and "Peppers" , the encryption results of the 
DCNN-based scheme are shown in Fig. [5l where the secret key was set to be 
the one used for Fig. [2J One can see that some visual information about the 
plain-images has been leaked from the cipher-images. As a comparison, the 
encryption results of the scheme based on the logistic map is given in Fig. [61 
where the original secret key in [14] was used: x(0) = 0.1777, fi = 3.9999995. 
Comparing Figs. [5] and [6l one can see that the DCNN-based scheme has a 
much worse encryption performance than the one based on the logistic map. 
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Fig. 5. Encryption results of the DCNN-based encryption scheme on two typical 
plain- images: a) the plain-image "Lenna"; b) the plain-image "Peppers"; c) the 
cipher-image of "Lenna"; d) the cipher-image of "Peppers". 




Fig. 6. The encryption results of the encryption scheme based on the logistic map 
on the two plain-images "Lenna" and "Peppers": a) the cipher-image of "Lenna"; 
b) the cipher-image of "Peppers". 

3.2 Some Inadequate Sub-Keys in the DCNN-Based Scheme 



In [15], it was stated that the transfer/time-delay functions of each neuron 
and the numerical algorithm itself are also part of the secret key. However, 
these algorithmic details are generally embedded in the codes of the encryp- 
tion/decryption machines, so they can be reversely engineered by analyzing 
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the encryption/decryption machines. As a result, they are not suitable as part 
of the secret key to ensure the security of the designed cryptosystem [20, 
Sec. 1.1.7]. 

Of course, if a number of candidate algorithms are embedded in the cryptosys- 
tem, a sub-key may be introduced to secretly choose one for encryption and 
decryption. With such a measure, the size of the sub-key space is limited to 
the number of the candidate algorithms, which is not large enough to make 
the cryptosystem feasible in practice. 

There is another problem with other sub-keys in this scheme. When the struc- 
ture of the chaotic neural network is fixed, some limits have to be exerted 
on the values of the control parameters to ensure the chaoticity of the dy- 
namical system [21]. For the time step size of the numerical algorithm, this 
problem also exists, as the time step size must be small enough to approach 
the true dynamics of the DCNN. This problem will reduce the key space of 
the encryption scheme to some extent. 

3. 3 Low Sensitivity of Encryption to Plaintexts 

As was well-known in cryptography [5], a good cryptosystem should be suf- 
ficiently sensitive to small changes in the plaintext. However, this property 
does not hold for the two encryption schemes proposed in [14,15]. Observing 
Eqs. ([2]) and (jSJ), it is clear that one bit change in Pj will cause only one bit 
change in Cj, in the case that the same secret key is used (i.e., both Aj and Dj 
are the same). If there are two different bits with different values, the distance 
between them modulo L will also remain unchanged after encryption. 



4 Cryptanalysis 

To facilitate the cryptanalysis given in this section, the encryption processes 
of the two encryption schemes are first unified as follows: 

C 3 = (P ] <^ L D j )®A' J , (7) 

where A'- = Aj with L = 64 for the scheme in [14] and A'- = (Aj Dj) 
with L = 32 for the scheme in [15]. Apparently, if the two sequences {Dj}jSj 
and {A'j} 1 ^ 1 can be reconstructed, then they can be used as an equivalent 
key to decrypt the N leading plain-blocks of any plaintext that is encrypted 
with the same key, as follows: 

Pj = (Cj © A'j) » L Dj. (8) 



10 



This can be done by employing some special properties of circular bit shift 
operations in known/chosen-plaintext attacks. Because this idea of cryptanal- 
ysis is completely independent of the underlying chaotic systems, it can work 
well for both schemes. 

In the first part of this section, we give some properties of the circular op- 
erations and then show how two very efficient and successful attacks can be 
developed based on these properties. 



4-1 Some Special Properties of Circular Bit Shift Operations 

The circular bit shift operations have the following properties^"!. 

Property 1 Assume that L,r G Z + , x G Z ; a* G {0, • • • , 2 T — 1} and t \ L. 

U a — YhLq~ 1 ( a * • 2") and x = (mod t), then (a %) = ( a x) = a. 

Proof: This property is a direct consequence of the definitions of L-bit left 
and right circular bit shift operations. ■ 

Property 2 Assume that L G Z + , x G Z and a, b G {0, ■ • • , 2 L — 1}. Then, 
(a <^ L x) © (b x) = (a © b) «S L x and (a ^> L x) © (b ^> L x) = 

(a ©6) ^> L x. 

Proof: Assume that a = Ei=o fa ■ 2*) and b = J2f=o (h ■ 2 l ). Then, (a 
x) © (6 «<l x) = (Ei=o (ai ■ 2 {i+x) mod L )) © (^=0 (bi-2 {i+x)modL )) = 
T,f=ofa © h) ■ 2( i+x ) modL ) = (a fc) «<l 1. In a similar process, (a ^> L 
x) © {b l x) = (a © b) ^> l x can also be proved. ■ 

Property 3 Assume that L G Z + \{1}, and a = Ef= l fa ' 2*) G {0, ■ • • ,2 L — 
1}, where Oj G {0, 1}. If there exists 16 {1, • • ■ , L — 1} stzc/i i/iat a x = a, 
t/ien i/iere mttsi exzsi r | gcd(L, a?) and a* G {0, ■ ■ • ,2 r — 1} stzc/i that a = 

Efi;rV-2 Ti )- 

Proof: This property is proved via mathematical induction on x. 

When x = 1, the condition a <@Cl 1 = a means the following: 
ai = d2, • • • , ax-i = o,q, which immediately leads to the result that ao = 
a± — ■ ■ ■ — ol-i- Then, setting r = 1 and a* = ao — ■ • • — one has 

a = Ef= V ■ 2 l ) = Y.-lr\b • 2"), where (r = 1) | gcd(L,a;). 



4 Property [T] has already been pointed out in [6, Sec. 7.4.1] for another image 
encryption scheme based on the same operations. 
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Now, assume the property is true for all integers smaller than x > 2. We will 
prove that it also holds for x. Consider two different conditions as follows. 

CI) When x \ L: from the condition a x — a, it follows that a can be 
divided into L/x identical segments, each of which has x bits. Setting r = x 

and a* = E*=oOi ■ 2*), we have a = Eflo~\ a * ■ 2 ") = Efio _1 ( a * ■ 2 ™) ; wh ere 
(r = x) | (gcd(L, x) = x). 

C2) When x j L: divide all the L bits into \L/x~\ bit segments, among which 
the last one contains only x = (L mod x) bits. That is, a can be represented as 
A ■ ■ ■ A A, where A = ao • • • a^—i and A = do • • • d^_i. Performing a <^Cl x and 
comparing it with a (note that a x — a), one can get Vz = ~ (x — 1), 
dj = aj. Thus, a becomes • • • AAA, where A = ao • • • cix-i, A = • • • a x _i 
and A = A>1. Then, performing a x and comparing it with a again, 

one has AA = AA = A. This means that A <^ x x = A. Since x < x, by 
the assumption of the mathematical induction, there exists r£Z such that 
A = YA=o~ l { a * ■ 2 ri )> where r | gcd(x, x) and a* G {0, • ■ ■ , 2 r - 1}. Since r | x 
also holds, one has A = E^o _1 ( a * " 2 ")- Finally, therefore, a = Efio" 1 ^* ' 2 ")- 

The above induction completes the proof of the property. ■ 

Remark 1 In Property if one changes a x = a to another form, 

a = a (L — x), the condition of r will become r \ gcd(L, L — x). This is 
actually equivalent to r \ gcd(L, x), as gcd(L, x) = gcd(L, L — x). 

Combining Properties [1] and [3l one can easily derive the following theorem. 

Theorem 1 Assume that L G Z + \{1}, x G Z and a, b G {0, ■ • • , 2 L - 1}. 

The equation (a x) = b (x is the unknown) has more than one solution 
modulo L if and only if there exists r < L, r \ L and a* G {0, ■ ■ • , 2 T — 1} 
such that a = Efio^O* ■ 2 ")- 

Proof: The "if and "only if parts of this theorem are direct consequences 
of Properties [1] and [3], respectively. ■ 

An alternative form of Theorem [1] is as follows. 

Theorem 2 Assume that L G Z + \{1} ; x G Z and a, b G {0, • ■ ■ , 2 L - 1}. 

The equation (a x) = b (x is the unknown) has only one solution modulo 
L if and only if there does not exist r < L, r | L and a* G {0, ■ • • , 2 r — 1} 
satisfying a = E^fo X ( a * ' 2 ")- 

When t < L,a = Eflo~\ a * - 2 ") actually means that a can be represented by 
repeated bit patterns. For example, when L = 8, r = 4 and a* = (1001) 2 = 9, 
one has a = (10011001)2 = 153, where (• • ■ )% denotes the binary representation 
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(the same below). 



4-2 Chosen-Plaintext Attack 



In this attack, two plaintexts can be deliberately chosen to ensure that all 
elements in {Dj} and {A'-} are uniquely determined. By choosing a plaintext 

such that Pj 1} = or 2 L - 1, Vj = ~ (N - 1), one obtains (P, W 

Dj) = Pj 1] and further gets A'j = Pf ) © Cf ] . After recovering {Afifj^ 1 , one 

(2) 

may choose another plaintext such that each P- cannot be represented by 

repeated bit patterns, for example, P^ = 152 = (10011000) 2 when L = 8. 
Then, by Theorem [2j the value of Dj can always be uniquely determined by 
solving the following equation: 



(pf } «< L p J ) = c] 2) ©4. 

^.5 Differential Known- Plaintext Attack 



When the same key is used to encrypt two plaintexts, {Pj}f = Q and {Pj }f=o, 
using Eq. and Property [2] one can easily deduce the following equality: 



cf © cf = (p« «< L Dj) © (Pf <«, P.) 

'p, (1) ©Pf } ) «^P,. (9) 



The above equation means that {A'j}j~ Q are completely circumvented in a 
differential attack. Then, one can try to determine the value of Dj by search- 
ing all L possible values. From Theorem [2J the value Dj can be uniquely 
determined if Pj 1 ^ © Pj 2 ^ cannot be represented in repeated bit patterns. After 
obtaining Dj, one can further get the value of A'j as follows: 

A'j = (p, (1) <« L Dj) © c; (1) . (10) 

Now, let us find the probability that the value of each Dj cannot be uniquely 
determined by solving Eq. (jUJ), i.e., the probability that P- © Pj 2 ^ can be 

represented as repeated bit patterns. Under the assumptions that Pj 1 ^ © Pj 2 " 1 
has a uniform distribution over {0, ■ ■ • , 2 L — 1} and that any two differential 
values are independent of each other, this probability can be calculated to be 

St<l, t\l 2 t , s 

p= — — • ( n ) 
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Then, it can be easily calculated that p pa 2~ 16 when L = 32 and p ~ 2 -32 
when L = 64. In practice, this probability is generally larger than the the- 
oretical value due to the non-uniform distribution of the plaintext and the 
correlation existing in two differential plaintexts. To the advantage of the at- 
tacker, our experiments have shown that this probability is still very small in 
most cases. The small probability ensures that it is a high-probability event 
to uniquely determine the value of Dj with only two known plaintexts and 
their corresponding ciphertexts. 

To evaluate the performance of the differential plaintext attacks, some exper- 
iments were carried out when a number of natural images are chosen as plain- 
texts. Consider the case of the 2-neuron DCNN shown in Eq. (j3J) with the same 
configurations set in Sec. 13.11 With the two plain-images and the correspond- 
ing cipher-images shown in Fig. [5], we reconstructed {-Dj}}= 3 83 and {A'j-j^o 83 - 
In all the 16384 elements of each sequence, only two l's could not be uniquely 
determined, which is about 0.012% (« 2 -13 ). Then, the two reconstructed se- 
quences {Dj}^Q 3 and {v4^}^ 3 83 were used to decrypt a cipher-image shown 
in Fig. [7^ (which corresponds to a plain- image "House"). The recovered plain- 
image is given in Fig. [7b. One can see that the breaking performance is nearly 
perfect. 




Fig. 7. A near-perfect breaking result of the differential known-plaintext attack 
on the DCNN-based scheme: a) the cipher-image corresponding to a plain-image 
"House" ; b) the decrypted plain-image. 

The same experiments were also carried out on the scheme based on the logistic 
map with the same known plain-images and the corresponding cipher-images 
shown in Fig. [6j As analyzed above, in this case the probability that each 
value of Dj and A'- cannot be uniquely determined is estimated to be 2~ 32 . 
Considering there are only 256 x 256/8 = 2 13 plain-blocks, one can expect 
that all elements in {Dj}^q and {A^} 8 !^ 1 will be uniquely determined in very 
high probability, thus leading to a perfect breaking of the plain-image. Our 
experiments well agreed with this expectation. Figure [8] shows the breaking 
result on the plain-image "House" . 
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a) b) 

Fig. 8. A perfect breaking result of the differential known-plaintext attack on the 
encryption scheme based on the logistic map: a) the cipher- image corresponding to 
"House"; b) the recovered plain-image. 

5 Conclusions 

This paper has analyzed the security of two chaotic encryption schemes based 
on circular bit shift and XOR operations. It has been found that these two 
schemes are insecure against the differential known-plaintext attack and the 
chosen-plaintext attack, in which only two known/chosen plaintexts are re- 
quired to achieve a perfect breaking performance. Moreover, some other secu- 
rity problems existing in the two encryption schemes have been pointed out. 
Our cryptanalytic results suggest that the two encryption schemes should be 
further enhanced before they can be used in applications requiring a high level 
of security. 
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